Perfecting security in the cloud

Thanks to the endless onslaught of marketing (and that new Cameron Diaz movie), everyone has heard about the “cloud,” but most people are still confused as to what that term really means. More importantly, everyone seems perplexed on what it could mean for their firms. While the National Institute of Standards & Technology (NIST) only defines three major categories for cloud or outsourced technical services, there are many, many more flavors and blended options available and emerging every day. NIST pairs Infrastructure as a Service (IaaS) with such offerings as Amazon AWS, Platform as a Service with GoDaddy, and Software as a Service (SaaS) with offerings such as Google Docs and Office365.

With innovation and end user demands exceeding onsite IT resources, outsourcing is a viable means to delivering requested services. Initially, the financial benefits for outsourcing or “going to the cloud” prompt the discussion as to whether a firm should proceed with the migration. During this thought process there are other very important things to consider that may impact the cost comparison. A recent Ponemon Institute report entitled “Data Breach: The Cloud Multiplier Effect” gave a haunting warning that increasing the use of the cloud can increase the probability of a multimillion dollar data breach by as much as three times. So what do you need to know before you begin?

For starters, where is the data that you create and store being physically kept? Many less expensive cloud/outsourced solutions won’t — or can’t — tell you with any certainty. While this may work for some organizations or for personal use, in regulated industries such as finance, healthcare and legal, not so much. Law firms have to know exactly where everything is at all times. Just because someone else is providing the technology does not relieve an organization of the risks or responsibility of providing the required confidentiality, integrity and availability of data. You need to know where your data is. Many inexpensive outsourced solutions use technology hosted in foreign countries to keep their costs low. By requiring that your data either reside in a specific location in the United States or be located in another dedicated location, some of the cost savings for a cloud/outsourced solution begins to erase.

Another question to ask is, “Does the cloud/outsourced provider scale well?” The big players, such as Amazon and Microsoft, make this question moot, but there are many smaller and local businesses offering sound cloud or outsourced solutions. I am all for working with smaller companies and managed services, as long as they can keep up with my business demands. Smaller clouds may not be able to grow as fast as your data grows. Keep in mind that law firms never throw anything away, creating a need for additional space. Also, with co-tenant technologies, you need to ask if a busy cloud neighbor is going to impede your performance. While working with a local vendor may address your concerns about where your data resides, smaller co-tenant solutions may take longer for the implementation of infrastructure upgrades when capacity is reached.

This isn’t a pitch for using larger IaaS solutions, like Amazon and Microsoft Azure. They mostly deliver the infrastructure to build your own server farm, but since YOU are still responsible for security maintenance and most upgrades, a key component is maintaining a secure network. Also, just because you have put strong perimeter security into place doesn’t mean that your provider does as well, or that the other tenants in the shared space do, either. Could there be a potential soft target sitting next to you while your barricade the front door? With literally thousands of customers, do you expect concierge-like service from that provider? If so, you may be in for a rude awakening.

In dealing with actual data within law firms, the use of encryption is no longer an option. It’s a part of the new normal and needs to be done to ensure privacy and compliance. When dealing with outsourced providers, the question to ask about the cloud is, “Is my data encrypted both at rest and while in transit?”

Finally, the use of encryption and other security controls stems from the need for firms to remain compliant with several regulations, such as HIPPA. Some IaaS or hosted sites may not provide the necessary requirements for government regulations on privacy or security by default, e.g., U.S. government files residing on servers physically being operated in foreign countries. Know where your data is.

Despite the challenges mentioned here, technology outsourcing, or the cloud, is still a sound option as long as you ask the right questions and identify the risks before you migrate. Law firms are still responsible for knowing where their sensitive data is and how it is being stored and protected, regardless of who is running the storage. Many bar associations have approved outsourcing technology, so it’s wise to become familiar with their recommendations and guidelines. Something to note: not all clouds are equal. You need to know what to ask and how to compare offerings, especially when it comes to security.